On Tue, Aug 13, 2013 at 9:25 AM, Ben Lincoln (F70C92E3)
f70c9...@beneaththewaves.net wrote:
Unfortunately, it does look somewhat suspicious from a phishing
perspective, especially if a link to a paypal.com subdomain redirects to
it, which (to an end user) looks a lot like what happens when a
On Mon, Feb 18, 2013 at 7:07 AM, Peter Gutmann pgut...@cs.auckland.ac.nzwrote:
I've just done a quick tally of the certs posted to
http://www.ccssforum.org/malware-certificates.php, a.k.a. Digital
Certificates Used by Malware. Looks like Verisign (and its sub-brand
Thawte)
are the
I think what you really want is the ability within Google's interface to
specify how you'd like the certificate verified. If the threat model they
are defending against is MiTM, then merely accepting the certificate
without prompting from you provides protection against passive
eavesdropping
On Fri, Oct 26, 2012 at 2:27 AM, ianG i...@iang.org wrote:
- It probably wasn't an accidental mis-config, because it's unlikely that
a
pile of major organisations would all make the same config mistake.
Look at
SSL, the exact same organisations have no problem using strong SSL
keys,
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com wrote:
Still it might be worth pointing that if Wells Fargo really wanted to
forbid a Trustwave network-level MitM, SSL/TLS provides the capability to
enforce that policy at the protocol level. They could configure their web
On Tue, Feb 7, 2012 at 6:05 AM, Marcus Brinkmann
marcus.brinkm...@ruhr-uni-bochum.de wrote:
That's a false dilemma. You could also extract trust from your cache, ie
your past experience with the same server (the SSH model), and/or from your
past connections with the internet (CRL or
On Sun, Sep 18, 2011 at 2:01 PM, James A. Donald jam...@echeque.com wrote:
SSL fails at low security stuff in that it allows phishing,
snark
You know what else fails at fighting phishing?
- The locks on my car door
- The fence surrounding my house
- The full disk encryption on my laptop
On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor arshad.n...@strongauth.com wrote:
However, an RP must assess this risk before trusting a self-signed
Root CA's certificate. If you believe there is uncertainty, then
don't trust the Root CA. Delete their certificate from your browser
and other
On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin s...@cs.columbia.edu wrote:
Furthermore,
they're probably right; most of the certificate errors I've
seen over the years were from ordinary carelessness or errors,
rather than an attack; clicking OK is *precisely* the right
thing to do.
Is
On Tue, Sep 13, 2011 at 4:09 PM, Ralph Holz h...@net.in.tum.de wrote:
Well, yes, but it is the Alexa Top 1 million list that is scanned. I can
give you a few numbers for the Top 1K or so, too, but it does remain a
relative popularity.
How many of those sites ever advertise an HTTPS end-point
On Sun, Sep 11, 2011 at 10:45 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
James A. Donald jam...@echeque.com writes:
On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
1. Phishing isn't the only problem right?
2. To some degree this is a game where we have to guess their next
step, and make
On Sun, Sep 11, 2011 at 8:37 AM, Douglas Huff dh...@jrbobdobbs.org wrote:
On Sep 11, 2011, at 9:25 AM, Thierry Moreau wrote:
E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of Named
Entities (dane))
Which makes a huge assumption about DNS SEC that is just not realistic.
On Fri, Sep 9, 2011 at 6:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
May I make the following modest proposal:
A fix (of whatever form you want to try) is only regarded as valid if it
leads to at least a 25% decrease in phishing, measured over the interval
before and after its
On Sat, Sep 10, 2011 at 11:46 AM, Ian G i...@iang.org wrote:
2) Phishing using a similar-looking domain name.
Yes. That's the big one in this space. Afaik.
I'd be surprised actually. Most phishing sites are mass-compromises
of other websites, or mass-hosting on funky names/addresses, often
On Sat, Sep 10, 2011 at 4:46 PM, John Levine jo...@iecc.com wrote:
But Steve, generic malware runs on your PC or in your browser. If
they wanted to steal card numbers, they'd steal card numbers today,
from the browser or by key logging, before the numbers got TLS-ed.
Since they don't do it
On Thu, Sep 8, 2011 at 1:30 AM, Ralph Holz h...@net.in.tum.de wrote:
Hi,
I (still) cannot believe how Symantec reacts to the DigiNotar breaches -
basically ignoring the known shortcomings:
http://www.symantec.com/connect/blogs/why-your-certificate-authority-matters
To be contrarian for a
On Wed, Jul 13, 2011 at 8:40 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Maybe we travel in different circles, but both in sysadmin circles and in
instances where it's come up in the past on security lists as an example of a
successful security protocol, it reason for success has always
On Tue, Jul 12, 2011 at 2:24 PM, Zooko O'Whielacronx zo...@zooko.com wrote:
When systems come with good usability properties in the key management
(SSH, and I modestly suggest ZRTP and Tahoe-LAFS) then we don't see
this pattern. People are willing to use secure tools that have a good
usable
On Tue, Jul 12, 2011 at 3:56 PM, Ian G i...@iang.org wrote:
The SSH-vs-telnet example was back in the mid-90s where there were two
alternatives: secure telnet and this new-fangled thing called SSH.
The way it for for everyone I knew that went through it was:
1. Sniffing was sort of a
19 matches
Mail list logo
